Ransom speculation as US reels from health cyberattack

ALPHV/Blackcat cyberattack
Akin Cakiner

As healthcare facilities and pharmacies try to recover from one of the most disruptive cyberattacks in US history, reports have emerged that the perpetrators may have received a hefty ransom payment.

The ransomware attack by the notorious ALPHV/Blackcat hacker group on UnitedHealth Group’s Change Healthcare unit, which first emerged on 21st February, is still disrupting systems used to pay for prescriptions and process health reimbursement claims across the US. The group claims to have seized around 6 terabytes of claims data, including payment and insurance information and health records.

A report in WIRED and attributed to TRM Labs suggests that a Bitcoin address belonging to ALPHV hackers received a single transaction payment of 350 bitcoins worth nearly $22 million, which could indicate that a ransom has been paid in connection with the attack.

It also speculates that some of the scammers may have been scammed in turn, alluding to posts on the Dark Web that suggest ALPHV ‘associates’ – individual hackers working on behalf of the group – had been cheated of their share of the ransom. ALPHV’s Dark Web site has now been taken offline.

Change Healthcare, which processes 15 billion healthcare transactions a year and is involved in one out of every three patient records in the US, has declined to comment on whether it paid a ransom, simply saying that it continues to investigate the matter.

If a ransom has been paid, there are concerns that a precedent has been set that could result in additional cyberattacks on healthcare systems in future.

“We are working on multiple approaches to restore the impacted environment and continue to be proactive and aggressive with all our systems, and if we suspect any issue with the system, we will immediately take action,” it said in a statement.

AHA slams UnitedHealth for inadequate response

Meanwhile, the American Hospital Association (AHA) has said that measures introduced by UnitedHealth in response to the attack – including a temporary funding assistance programme offering short-term loans to affected healthcare organisations – are “not even a band-aid on the payment problems.”

In a letter to UnitedHealth’s chief operating officer Dirk McMahon, AHA chief executive Richard Pollack wrote that “limited eligibility and [...] one-sided contractual terms” undermine the assistance programme.

“We have heard from some hospitals and health systems that these simply are not terms they can accept, especially when their financial future becomes more unpredictable the longer Change Healthcare is unavailable,” he continued.

The fallout from the attack has also caught the attention of lawmakers, including Senator Chuck Schumer (D-NY), who has issued a call for the Centers for Medicare and Medicaid Services (CMS) to make payments to hospitals in advance of receiving claims from them, to alleviate the financial burden caused by the outage.

“Hospitals are essential to quality patient care, but this latest vicious cyberattack has blocked many healthcare providers and pharmacies from getting paid and processing insurance claims,” wrote Schumer. “If this continues, it can lead to layoffs or even reductions in care.”

Photo by Akin Cakiner on Unsplash